Posted
by
CowboyNeal
on Thursday April 13, 2006 @07:42PM
from the full-and-we-mean-full dept.

Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11."

How would you like a birth control patch that also doubles as a nicotine patch without your knowledge? Sure you can have sex without worrying about getting pregnant, but there would be no cigarette afterwards.
What MS has done is taken away the cigarette from the consumer. My Windows sex machine can "interface" all night long without getting pregnant, but it can still get STDs and won't be smoking any more afterwards.

The big problem when they do this is compatibility testing. I work at numerous companies where we need to read through each patch to see what they 'fix'. Now when Microsoft does this we will just have to guess what they might break in a legacy application deployed across the world.

The big problem when they do this is compatibility testing. I work at numerous companies where we need to read through each patch to see what they 'fix'. Now when Microsoft does this we will just have to guess what they might break in a legacy application deployed across the world.

Companies actually testing their software against the latest releases of Windows? thats definately a change from what I normally see; lazy software companies sitting around, rolling naked in money, then running an anti-Microsoft

I'll say it once, and say it again; it isn't Microsofts responsibility to provide backwards compatibility to people

I'd disagree, partially, with this. Yes, it isn't Microsoft's responsibility to provide backwards compatibility to people who have used undocumented behaviour - but where they have changed the API so that it no longer operates as documented, then it is their responsibility.

I'd disagree, partially, with this. Yes, it isn't Microsoft's responsibility to provide backwards compatibility to people who have used undocumented behaviour - but where they have changed the API so that it no longer operates as documented, then it is their responsibility.

But that isn't the issue; the issue is, they FIX an API so that it works the way its documented, but people expect that they provide compatibility for those who relied on the API when it was broken.

As a software developer I can tell you that customers are a pain in the arse. I don't know if you know that yet, but most of them expect software to be written within 5 minutes of their first phone call that something is not like they want it. And I Microsoft releases patches, it's just not as easy as you say to simply demand a patch from the developers. I mean, come on, do you think that, especially for large scale enterprise applications, when a patch rolls in, they can deploy

As a software developer I can tell you that customers are a pain in the arse. I don't know if you know that yet, but most of them expect software to be written within 5 minutes of their first phone call that something is not like they want it. And I Microsoft releases patches, it's just not as easy as you say to simply demand a patch from the developers. I mean, come on, do you think that, especially for large scale enterprise applications, when a patch rolls in, they can deploy everything in one day, fix,

Aside from the terrible, terrible, sad analogy, do you enjoy Windows vulnerabilities as much as a cigarette after sex? Patching flaws without disclosure (as long as that is indeed what they are doing) is like taking a pill for a cold and having it cure your syphillis while it's at it.

I believe a more apt analogy would be taking a pill for your cold and getting chemo in addition. And then you have to take another pill to fix that problem, but it gives you syphillis. Then you take another pill and it cures your syphillis and gives you the cold - so you're back where you started, just with a lot less time.

How would you like a birth control patch that also doubles as a nicotine patch without your knowledge?

Believe me, you would know. When I tried to quit using nicotine patches, the first thing I noticed was that they irritated my skin. You could tell where the patch had been by the red welt. The other problem I noticed was that, since it delivers a constant dosage of nicotine, I would feel hyper all day and have difficulty sleeping. Finally, if I broke down and had a cigarette anyway, more often than not I

If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you? The sad truth is that most systems remain unpatched. Granted, Microsofts assumption that it's customers are idiots that couldn't handle the truth is annoying to those of us that do understand the problems, but in the majority of cases there assumption is pretty close to the truth - they are protecting the naive by not giving hints out to t

This brings up the age old debate which I will not revive. However, my spin is that if you are patching a vulnerability you should disclose that. Otherwise the end user might not apply the patch. This very same situation happened with Cisco at Blackhat and ended up in the Courts and Cisco ended up with a public black-eye. Based upon the IT reaction to that I would venture the assumption that we want to know.

Well, it's one thing if Microsoft says "this is an update", as opposed to "this eliminates a security flaw". I don't think Cisco was explicitly stating that patches were for security, and I don't think Microsoft could be expected to be responsible if it issues a patch labeled as a security fix and a user doesn't apply it.

Quite frankly I don't think the end users are so selective about their patching. If you see a critical patch, you apply it and that's that. In a corporate setting they may be more selective, but the average Joe goes all the way.

The average Joe is not the customer who loses twenty million dollars when a patch unexpectedly breaks a legacy app three months after it was installed, leading to downtimes as a suitable old version of Windows has to be found and redeployed.

But what if the supposedly wise guy that had decided not to install the patch because it might break something gets bitten by an attack because the patch wasn't installed?In hindsight it is always easy to say "you should not have installed the patch without 3 months of testing you dumbo", but in practice you can hardly test the full functionality of a system before deciding that a patch is OK to release. See the article about breaking Word 2002 on this page. Who would guarantee that this would be found, m

That makes sense, but my point is that even though the majority of users (would) install every single patch and thus don't need detailed information about what it does to which parts of the system some very large customers need this very information to identify potentially harmful updates - and while Joe Sixpack might lose a couple dollars worth of data when his system goes haywire a company with a large datacenter might lose much more money and might want it back from Microsoft when it turns out that they

By default windows update doesn't even prompt you to install patches. You can opt to be prompted before installing patches.

However Windows Update categorises its patches. All patches automatically downloaded or presented to the user are categorised and represented as critical patches. Non-critical patches can only be downloaded by going to the windows update site and electing to download and install them.

I believe the following quote from the article better summarizes the dude's argument:

"As a result, administrators may deploy patches unnecessarily, erring on the side of caution (and risking compatibility problems in the process), or they may choose not to deploy based on incomplete information. Individuals making these kinds of decisions deserve better information"

I agree to an extent but someone who's going to exploit whats being patched can easily look at the patch and create their own roadmap, or at least a sketchy pirate map of what was wrong. Better to disclose the information in my opinion and let the naive suffer.

If you explain exactly what is being patched, then you give the hackers a pretty clear roadmap of what they need to do to exploit all of the unpatched systems, don't you?

You do that already by providing a patch. The bad guys will simply look at the differences of the binaries and find out what has been patched. So instead of helping the good guys, Microsoft gives an information advantage to the bad guys.

Microsoft's just trying to save face, they could quite obviously still tell you that your applications and/or operating system had flaws that you needed to be aware of without going into specifics. Regardless of how much they want to disclose, one would imagine that they should have a legal responsibility to their customers to release any knowledge they have about a fault in their product that could compromise the security of their customers financial and private information, particularly in today's age of

Microsoft doesn't fully document their system. Most people depend on third party documentation -- some (or much) of which is reverse engineered (against the eula). In any case, people are regularly using methods that are officially undocumented -- no matter how many people use them.

The problem arises when Microsoft decides that an 'undocumented' capability is the source of a bug. They fix the hole, but this may break your software in unpredictable ways. If you don't know what they fixed, you have no id

"If a patch breaks a mission critical piece of software it could cost some companies hundreds of thousands of dollars an hour."

If you deploy a patch on a mission critical (I cringe to think anything considered "mission critical" would be running on a windows box) machine without testing to see if it breaks anything, then you deserve to lose hundreds of thousands of dollars an hour.

...without testing to see if it breaks anything, then you deserve to lose hundreds of thousands of dollars an hour.

True, but you can't always do exaustive testing, so you test based on what you think has changed (plus a bit of random testing just to make sure).

If MS tells you that they've changed A, B and C, then you test to make sure that those changes won't break your system. If you aren't aware that patches X, Y and Z have been included in your patch then you won't know to do extra testing of the

Why is it bad? Because when Microsoft claims that Linux is more vulnerable then it is bad. Also, it is bad when Microsoft claims that there have been less bugs in MS than in Linux or any other operating system. It seems more like a marketing attempt than anything else. With MS getting beat up over security, they can look good by simply not telling people that it has been patched.

Yeah, who cares about the fact that they are deliberately witholding information that can directly threaten their customers? I'm perfectly happy that my network security matters less to Microsoft than their image does. As long as they get around to fixing whatever the hell the problem was, it's all good, right?It appears to me that there are two possibilities here:

Look, you do not have the source, so you are already incapable of knowing what is going on. Combine that with MS's lack of veracity, and you have a company that you should not trust. Yet you will.

For all pratical points, Business users have no more reason to know than does a home user. In fact, I think that MS should put out their releases with simple names on each patch. That is function a, b, c, etc and 0 explaination of what it is. That would enc

The problems happen when a business finds that an update causes problems for important software. Given the list of fixes the admins may determine that the problem fixed in the update does not effect the system. e.g. the update is for a bug in telnet, but telnet is blocked by the firewall. So the update is not installed. However unknown to the admins the update also fixes a very serious bug that does affect the system.

For all pratical points, Business users have no more reason to know than does a home user

For the average business user, they don't need to know details. But I think we are talking about the average business sysadmin. They are the ones that have to explain to a VP why the patch they just installed crashed some critical program or trashed some data. They need to test what the patch specifically does so they can see if it affects anything. With more specificity, it is easier to test. Otherwise, they have

Oh, please sir. Share with us your secret to get XP booting up in 11 secs... seeing how you say adding 11 secs is doubling your boot time. Personally, whenever I boot my machine, regardless of the OS I'm booting to, I just hit the button on my way to grab my morning coffee, or something. It's running when I get to it and I simply don't sweat boot times.

I would think that corporate "Software Assurance" customers who are paying for continual updates and support, and have to support MANY legacy applications that may be affected by such flaws or patches would be (and ARE) demanding such notifications. Joe Bob Home User does't really care, but Fortune 100 Fred in IT sure does, especially when his job (which is to keep the companies infrastructure up and running) is on the line.

>> I fail to see any law or EULA where such notifications are required.There are things you do because of the law and then there are things you do because they're right. The issue at stake is the how much you trust MS to not break things with their fixes. What happens if a fix causes a critical application to break?

Say this was at a paitent records system in a hospital? Say they changed their image handling code and xrays could not be displayed because the fix broke something either in operating syste

I would speculate that more people download Windows updates then almost any other piece of software (mostly because they are unaware mostly because this feature comes standard and enabled in Win XP). So why would microsoft want to divulge the security holes it is patching so openly? If I was looking to break into someone elses system the first place I would go is to microsoft.com check to see what security holes it has just patched and then see if my neighboor has patched yet.It would be way to easy for pe

It would be way to easy for people to learn about the problems that microsoft has riddled the world with.

Fine, but then wouldn't security/bug comparisons with open operating systems be skewed heavily in Microsoft's favor? I suspect that if they truly are hiding something, it is more about marketing than security.

I think the real point of the article was a few paragraphs in when Murphy said that "You simply don't know what the patches are for. It's virtually impossible to make a determination about a deployment time frame if not deploying a patch has the potential to place you at an additional, unknown risk."One of my favorite things about open-source systems like Redhat's RHN up2date is that you know exactly what a patch will effect and what code it will be changing. An update to the kernel, or to an individual pro

Murphy has not yet tested the patch to determine whether the drag-and-drop issue was actually fixed, but, even without testing, he argues that the way the information was released leaves everyone guessing.

WTF?

The guy making all the noise is just shooting his mouth off until he's actually tested the patch.

Yes, he has a valid gripe that the wording is unclear, but the crux of his complaint balances on the fact that MS allegedly patched something without coming out and saying so.

It's incredibly stupid to put yourself out on the line like that. One day it'll come back and bite him when he's wrong.

The guy making all the noise is just shooting his mouth off until he's actually tested the patch.... the crux of his complaint balances on the fact that MS allegedly patched something without coming out and saying so.

No, the crux of his complaint is that he can't tell what he's supposed to be looking for. How is he supposed to test what M$ does not tell him? For some reason he thinks M$ is going to tell him what their "updates" do. How many hours do you expect him to test every month?

However, I will address your post:He has specific complaints about ONE patch. It would have been prudent for him to make some efforts towards testing the ONE patch he has a problem with.

When someone comes to me with a computer (or other) problem, I ask them 1. what they think is wrong and 2. what did they do to try and solve it. My problem is that he didn't even make a token effort at step 2. He stopped at step 1 (I don't know what this patch is doing) an

When someone comes to me with a computer (or other) problem, I ask them 1. what they think is wrong and 2. what did they do to try and solve it. My problem is that he didn't even make a token effort at step 2. He stopped at step 1 (I don't know what this patch is doing) and then went complaining.

The reason he's complaining is because each patch report is supposed to cover a patch that fixes a specific problem, linked to with the bug report. His complaint isn't with the patch. It's with the report about th

I like what you've said and agree. ,
I work in the aviation industry and aircraft manufacturers release similar 'patches'. One operator of a certain aircraft (say B747) discovers a crack in a certain part of the wing, or a control cable that is jamming. They report this to Boeing, who then release a service buletin to all the users with all the details, inluding the approprite timeframe with which the inspection / modification must take place and steps required for the repair. It may be to inspect a part,

I think you've hit the nail on the head, but it seems even worse than that. Without MS providing enough information, we don't know which is going to be worse, the patched or the unpatched system, until exhaustive testing is done or until there is catastrophic failure. So, we're basically screwed either way unless we can just halt all operations, in which case we're basically screwed from a business standpoint.This is the basic gist of the complaint as I understand it. I think you were saying roughly the sam

To me this looks like MS have patched the flaw they say they have, and maybe seen some other bugs that were in there whilst they were there.

This is not necessarily a good thing though, as vagueness in what a patch fix implies vagueness in testing that the patch works properly. Microsoft should post exactly what it fixes, so people know what they are putting on their system. For instance, what if the patch breaks third party software? As the third party won't know what was changed, they can't fix it.

"This is not necessarily a good thing though, as vagueness in what a patch fix implies vagueness in testing that the patch works properly."
You're either kidding, or you've never been part of a software development organization.

I'm not kidding at all. Also, I work as a Telecoms software engineer and so I would say I have a fair experience of working with software development.

We test our patches before they go out. When an application is patched, the entire functionality of the application is re-tested and particular attention is paid to issues which have recently been fixed in the same code, and are outstanding in the code.

This way, when we write the release notes for the patch, we can provide a list of any known bugs that the

If I'm getting the gist of the article correct, it sounds like this guy is just whining because he found a variation of a vulnerability that was being fixed and he didn't get his name posted in the headline as finding the main vulnerability.

So, really, this is just a single guy complaining because he feels like he should have been a headliner but MS felt he was just an extra.

MS is pretty well getting in the habit of understating or perhaps blandly stating any problems. I particularly have noticed that with every release of Windows, error messages get more and more vague. I fully expect that by the time Vista makes it to market, all error messages will be replaced by a single pop-up that reads "Something bad happened". Figuring out exactly which bad thing happened will be left as an exercise for the poor techie who gets called in to "Fix this problem right now!".

This doesn't really matter. End-users do not read popup messages anyway, because they have developed a semiconsious habit of clicking away any dialog that only has an OK button. Small wonder, because those appear for so many reasons that one cannot afford to spend the time to learn about all of them.What an OS should do is to present the "Something bad happened" to the user, and log the real error in the system log with enough detail for the techie to analyze it.This is being done in Windows, but not to t

Remember when there was an update to Windows Media Player that added those DRM module things and there was a big outcry? I may be acting a bit paranoid, but isn't it remotely possible that Microsoft could sneak in other restrictions like this without users ever knowing?

New patch advisory: "This patch solves yet another attack vector that can be exploited by a malicious hacker. The fact is, this is like sticking your finger in a dike. Actually, it is more like sticking your finger in a non-existant dike against a tsunami. Tomorrow, five other security holes will be discovered. Odds are, this patch will introduce yet more attack vectors. You are screwed"

Hello, we'd like to announce a new security patch, that's um, kind of critical. What is it? Well, let's just say when we say it, everyone said "OMFG!" and started running around like people with their hair on fire...

Now, we can't tell you what it is, because if we did that, you might clue in that we probably made the same mistake in pretty much all the code we rolled out to give you that latest Feature (Patent Pending), and telling you would mean that lots of script kiddies would be making your copy of Windows Vista turn into a large pr0n server that played Death Metal tunes.

So, just trust us on this one, and... well... it's not optional.

P.S.: Please ignore the large backdoor we installed to scope your box out to see if you're trying to run some kind of Linux device on your network. It's just there for... um... your security... yeah, that's right...

How to find out? MD5 sum your/windows folder including the sub-directories (don't forget the hidden ones) before the patch. MD5 Sum again after the patch and compare the results. bdiff the questionable file differences and dis-assemble. At least thats what I used to do as a prior legitimate Windows license(s) owner (but before being called a thief by Microsoft).

Like I said earlier today, you either own a Microsoft appliance or a personal computer, these days you can't have both. Switch to something else or stay with Windows.

Like I said earlier today, you either own a Microsoft appliance or a personal computer, these days you can't have both. Switch to something else or stay with Windows.

Only if life were that simple; if WINE were 100% reliable and every application worked out of the box, the need to use Windows for many users would be a non-issue; the problem is, people remain with Windows for the very reason that they need applications, they aren't available for *NIX, but at the same time, they're not going to biff out their

Your not queer, just confused. There is no gay gene. Your different, get on with your life. Your parents (and their parents) spawned you. Nature/Darwin conflicts with your beliefs. Your weak and insecure. Get a women, boink her and have a beer. Hell, get several ladies if you can.

Hey, I'm not the one who uses 'anonymous coward' because of fear of karma going through the floor

So whilst you're living in your mum and dads basement, twiddling with your doodle whilst playing Quake or some other damn game, I'm

My question wasn't if MS was going to get nailed for doing something like this, it was when.

The main reason for implementing the monthly patch cycle (AFAICT) was PR. A bad week with 3 critical patches could really kill a sales rep's story that MS 'professional programmers' was the way to go if you wanted a secure system. It was only a matter of time until some PR hack realized that things could look even better if you didn't bother to document every security hole that a monthly patch fixed.

The upside for the user end (most often touted) of the monthly patch cycle is that a company doesn't sometimes need a full time crew just to go through the sometimes daily critical patches to see if/and what they break. The two downsides are that you don't always know what the monthly patches fix, and a well timed zero-day patch can mean that the black hats have up to a month to stomp on your system before the official fix comes out.

The true developers at Microsoft must do the same. They need to put the Marketing Department back in its place. They need to be vocal, and they need to be harsh.

AFAICT, the marketing drones have (almost) always been in charge of Microsoft. In this case, it hasn't been all that bad for the company -- just bad for the users (and , to a lesser extent, the engineers -- but at least they got good stock options before MS stock flattened out.).

"On 2002-09-24, Microsoft KnowledgeBase article ID Q311486, promised six months ago, finally appeared. Its publication date is falsified to claim that it appeared on 2001-10-26. It talks about programs that "pass invalid screen size parameters" when the sample program code that it gives for replicating the bug clearly contains nothing at all relating to screen size parameters."

Does your using spaces.msn.com/altitudinous/ (linked from http://www.petesmith.co.nz/ [petesmith.co.nz]) as your web site have anything to do with your astroturfing? I am a bit surprised that your web site didn't go to microsoft.nz.

What is your source for claiming that "Every software maker there is will fix bugs or patch holes without disclosing them."? I don't believe that this is a true statement.

The author of the story was Ryan Naraine; Google his name and you will find that he is not a green journalist and it does not

Last year when I had my problem with Windows 2000 hosing my system's partition table because installing it with Service Pack 3 on, THEN installing Service Pack 4 was insufficient to prevent it from hosing the partition table on a big disk when the outer portions of the disk eventually ended up being used, I finally dug up a Microsoft Knowledgebase article that admitted that "some disks" geometry wouldn't be read correctly in that situation.

Nowhere did Microsoft identify WHAT disks, WHY, or HOW. It was a "throwaway line" like that referenced in the present article. Microsoft was happy to say that LBA48 was supported by Windows 2000 Service Pack 4, but NOT that if you installed it first WITHOUT Service Pack 4 and then installed SP4, that Windows 2000 would silently wait until you actually tried to use the larger partitions before trashing your hard drive.

Yesterday, my office gets a frantic call from one of our clients, a lawyer. She had a filing deadline and was trying to finish a document she needed for this filing. Word 2002 stopped responding to user input every time she tried to save her document. All of my techs were out in the field, so I had to respond to this one (I'm VP Operations).

True enough, saving a document in Word or trying to open a new one while another document was open would hourglass the cursor. Only Task Mangler could end WINWORD.EXE.

Sysinternals's PROCEXP showed that every time a document was saved, Word would spawn VERCLSID.EXE as a child process, an executable that was "patched" by KB908531, which was pushed through Windows...err, Microsoft Update the day before.

I googled "verclsid" [google.com]. Let me tell you that yesterday, this search string returned no results. This morning, it returned exactly one [microsoft.com]. Now, it comes up with 67 web hits and 21 Usenet results [google.com].

Also, because of this "patch", typing "www.google.com" would return the generic IE "Server Not Found" page. One had to prepend "http://" to the URL. VERCLSID.EXE checks the validity of COM objects, so the damage wasn't confined to Office applications; it affected EXPLORER.EXE and IEXPLORE.EXE.

The workaround was to rename the current version of VERCLSID.EXE and restore the file from the backup created by KB908531 (a System Restore would have sufficed as well). I expect a patch for the patch to be released by Microsoft Real Soon Now. I guess this one was rushed out the door without sufficient testing.

Our company policy for patches is this: updates for servers are tested in-house before being deployed on production machines. For workstations, however, Windows Update is set to automatically update, unless the client's workstations run legacy applications, like the Reflection terminal emulator, or if high-end esoteric applications are present, like DataCAD or Design 20-20. As with servers, they're tested on a non-production system first.

I'd say that 10% of our clients got burned by 908531. Rolling it back wasn't that hard once we identified the problem, but this costs money.

I don't want to single out MSFT; last year an Apple Mac OS X security update broke Samba for me for about a week until I could figure out a workaround. But let's put this in perspective: how many people using Mac OS X (2 to 5% of the workstation market) also use Samba? Contrast this with the percentage of Windows XP/2K users also using Word (must be in the high 80% range), Internet Explorer, and the GUI, all affected by a buggy 908531 patch.

This would NOT happen in the Open Source world just because of the transparency of the software. OSS could not include such devious actions without a million people seeing it before it even gets to your machines.
I frequently check my updates even before I update my servers/desktops. I know what is getting put into my Linux boxen....
Do you???

You know, I've been mostly anti-ms for a long time now. I've been around in the normal pockets of resistance for just as long. I really have had a strange feeling lately, like there is a wave building against them. I see more media biased against them, as well as other governments recognizing their behaviour for what it is. Word is getting out, and you can't put the toothpaste back in the tube. I'm really getting the feeling that the castle is starting to crumble a bit under the weight. I'm curious to see i